Depths Of TJX's Incompetence Continues To Astound

from the leave-the-front-door-open dept

The TJX credit-card data breach -- the largest ever -- was sort of amazing, in that it went on for a few years before it was detected and disclosed. It was established at the outset that the company didn't comply with credit-card companies' strict security guidelines, but a story in today's Wall Street Journal spells out the depths of TJX's incompetence when it came to security. Investigators believe that the hackers used directional antennas to intercept signals sent over the WiFi networks at the company's stores, which were encrypted only with the easily cracked WEP standard, since TJX never bothered to update to WPA. You wouldn't think that would be too much of a problem, because apart from the network being encrypted, the company had installed other layers of encryption and security, right? Wrong. Once the hackers had gained access to the TJX network through a single store, they used keyloggers to get access to the company's central database at its headquarters, and they established their own accounts and the major theft began. Again, TJX made this easier on the crooks by transmitting credit-card data to banks without encryption. Banks continue to see claims from fraudulent activities related to the theft, and they're left holding the bag -- so it's little wonder some of them have sued TJX in hopes of recovering damages. This illustrates one of the biggest problems when it comes to identity theft and data protection: companies responsible for leaks and losses aren't typically the ones that have to deal with or pay for the fallout. For instance, in this case, TJX's financial liability has thus far been limited, and any fines it will have to pay will likely be minimal, despite its ridiculously shoddy security. The company has no incentive to enact better security if it feels no repercussions from a breach, so why should it bother? These misaligned incentives exacerbate the problem, and don't help anyone.

Reader Comments

the parnoid guys who claim that no one needs to know a damn thing about them might be on to something...

someone posited awhile ago, that there should potentially be 10-20 ID numbers that you can have allocated to you, each one being completely separate from the others, and that something like the NSA should be the gatekeepers to the database. (although i'm not sure i want the gov't in charge...) the idea being that one number might be for medical issues, one for soc sec issues, one for credit issues, etc... and that some might simply be throw aways... ie if someone snatched it, you could toss it, and start fresh...

this is the ugly side of being digital.. you have no assurance that any part in the chain is actually secure. and the chain is only as strong as it's weakest link...

I hardly think the banks are on the hook for much of the losses. Those bastards have a nasty habit of using charge backs, so every little mom n pop store that took charges from those stolen cards are the ones taking it in the shorts.

So Long TJX

When I heard about this recent revelation, I couldn't believe it. One has to wonder what kind of IT chain of command there is in such a large business that an easily cracked encryption scheme like WEP would be used for mission critical tasks.

The banks are taking the brunt of this because of all the cancelled accounts and the need to reissue new cards, as well as the administrative overhead of dealing with TJX's total stupidity.

I am not happy to see this incident play out like it has, but since it has, it will be a boon to my business - providing systems support for small businesses. All I have to do is show a client the headlines - it'll be a slam dunk sale!

I'm not much into predictions, but I'll go out on a limb here and predict that within eighteen months, TJX will either be in bankruptcy or be seeking Chapter 11 protection.

They really blew it. The sad thing for me is I know a couple of folks at the Framingham office. Maybe I ought to advise them to polish up their resumes.

Re: So Long TJX

If anyone should wonder why they didn't bother with protecting customer information it is because they are a sleezier version of Walmart. They got massive subsidies and incentives a few years ago to build their giant distribution center in my area on the basis that it would create semi-decent jobs. When it opened it turned out they were on par or less than Walmart wages and benefits. When few were interested in working there they started busing in illegals from other areas.

Banks are culpable, too

These banks *accepted* insecure communications? They never should have done so. It is not sufficient that the banks' policies and procedures internally are secure, they should never have accepted this data stream over such links.

Ya know if the company didn't comply with the strict security guidelines (and this isn't the first major company I've heard that failed to do so) perhaps they could be found culpable for breach of contract.

Re: #5

They are actually subject to huge fines from the card associations (Visa, MC, etc.)

As someone who works in IT in a Fortune-300 retail company, it's really stinking hard to comply with the PCI (Payment Card Industry) requirements. Here's some reasons:

- PCI is new. Its rules didn't exist 5 years ago.
- PCI is ever changing. There's not a set of rules you can point at and say, "That's PCI." It's all a matter of "can the people trying at the moment break it?"
- Legacy systems are brittle and change slowly.

Why

I read the WSJ story and wondered what the business purpose was for warehousing years' worth of customer credit card information, names and soc. security numbers. Their refund/exchange policy is what, 30 days?

Sounds like..

Sounds like it is time for Congress to address the "personal data" security issue. I think it is time (past time) for them to come up with a regulation along the lines of the HIPAA regulations for this issue.

What About the Auditors?

No one here has asked who audits TJX and why that accounting firm isn't being lambasted in the media and sued for failing to report such obvious, gaping security holes in several issues of TJX year-end audit reports.

Real Information Systems Audit has existed since at least 1990 and I'm not talking about accountants asking questions, I'm talking about systems people who know what they're doing and get paid to find exactly these kinds of problems and at the very least report the problems to the public and suggest improvements to the company.

Of course, as soon as they made such a negative report, they'd probably lose a multi-million dollar, multiple-year account, so often they either ignore or cover up such problems. Since they are so-called "professionals", they get to make up "rules" like GAAP that make them responsible for nothing at all - although that didn't work at all with Enron.

Did the auditors find these problems and did they report them in the public, year-end audit report? If so, senior management and the Board of Directors didn't perform much due diligence about getting things fixed and they ought to be fired and/or sued as well. If so, shareholders who read the year-end reports and ignored them, have no-one but themselves to blame if they lost money on their stocks.

If the auditors didn't find this mess over all those years, someone ought to hold them to account.

PCI and TJX

"As someone who works in IT in a Fortune-300 retail company, it's really stinking hard to comply with the PCI (Payment Card Industry) requirements. Here's some reasons:

- PCI is new. Its rules didn't exist 5 years ago.
- PCI is ever changing. There's not a set of rules you can point at and say, "That's PCI." It's all a matter of "can the people trying at the moment break it?"
- Legacy systems are brittle and change slowly."

PCI doesn't have to be hard, there are plenty of people out there to help. If it's too hard, your systems are either too full of holes and need rebuilding, or your budget for security is set unrealistically low.

There's free advice available here. Please drop us a line and we'll do what we can to help you out. Sometimes it's just a matter of trying a new tack with business management to approve budget.

PCI is not new however, it's been around since 2001 as PCIDSS v1.0, and in its current form (v1.1) since 2004, a set of rules which you can download here, so hasn't really changed that much. If you are being told that the goalposts are moving, get some better advice.

I will agree that legacy systems are brittle, but that's really why you should be concerned about their security and be prepared to either fix the security or replace them. That's just a business dicussion.

A good QSA should be able to solve you tons of headaches around PCI. If not, kick them out and get someone else in, there are plenty of people trying to get in on the act. You can download a list of these in your region from the VISA website.

Insider Job?

Is it possible that someone at TJX was in on it? I don't know it is just pure speculation, but I find the level of incompetence extraordinary. It is hard to believe that people this incompetent could even have a functioning network, never mind how insecure it is.

TJMAX incompetency

Hello,
I have had two separate incidences of ID theft involving TJ Max. I think there should be a class action lawsuit against thes company. If there not punished this will continue.
My checking acct. # and driver license were stolen in one instance, and I had to cancel and replace my credit card in the other instance.
Thanks for listening, Karen